Copy outgoing messages
Hello. I'm configuring my own domain with Postfix, I have set up as this: user1 - personal mail ( 3 email addresses via aliases ) user2 - mail lists user3 - spam catch for spamassassin learn purposes user4 - a copy of user1 in /etc/postfix/aliases , so all mail received in user1 periodically is stored and archived, just for backup purposes if a crash happens, one script package and store this file periodically. I would like do a copy of the outgoing mail from user1, from all my 3 email addresses. always_bcc option I believe will not copy this, and is too much mail for store, I want save all outgoing mail from user1 only And, if there is other better option than create an "user4" for backup purposes I will be interessed to hear. Thanks Josep
Auto blacklist email addresses
Hello. One spammer has tried about 300 times send me email, always from the same address, but from about 20 different IP . Never pass verify sender, always get 450 errormy question is...when one email fail postfix verify_sender 4 or 5 times..will be possible auto-blacklist this email for one week, for example? I use postfix 2.6.5 and postgrey 1.32 Thanks Josep
Re: Auto blacklist email addresses
Hello Ralph. Fail2ban can blacklist email addresses too? I want reject email addresses, not block IPs. Thanks Josep El lun, 29-03-2010 a las 21:41 +0200, Ralf Hildebrandt escribió: > * Josep M. : > > Hello. > > > > One spammer has tried about 300 times send me email, always from the > > same address, but from about 20 different IP . Never pass verify sender, > > always get 450 errormy question is...when one email fail postfix > > verify_sender 4 or 5 times..will be possible auto-blacklist this email > > for one week, for example? > > You could use fail2ban for that >
Doubts about ciphers in Postfix
Hello. I have designed my own scripts for curiosity, for test saslauthd and Postfix AUTH plain and login in both ports, and also test the ciphers in Postfix. I have some doubts about ciphers in Postfix, I will explain, all ciphers available with "openssl ciphers -v" there is three that always fail with postfix ( I tested with Debian Lenny (5.0) and Debian Squeeze (testing and future 6.0) ) openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Always fail, in both ports 25 and 587: DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 All others ciphers run ok in both ports 25 and 587..Should I disable these three ciphers in Postfix? Do I need install any other package? There is something broken? The errors are all as this: ./102-mail-smtp-test-starttls-p25-plain.sh CIPHER..: RC2-CBC-MD5 TEST FAILED command: openssl s_client -cipher RC2-CBC-MD5 -starttls smtp -crlf -connect localhost:25 2>&1 1373:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: CONNECTED(0003) Thanks Josep
Re: Doubts about ciphers in Postfix
Hello Victor. I tried before post here with "-ssl2" on the command line, got bad result too:( ./101-mail-smtp-test-starttls-p25-login.sh CIPHER..: RC2-CBC-MD5 TEST FAILED command: openssl s_client -cipher RC2-CBC-MD5 -ssl2 -starttls smtp -crlf -connect localhost:25 2>&1 3263:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: CONNECTED(0003) Josep El mié, 23-12-2009 a las 07:47 -0500, Victor Duchovni escribió: > On Wed, Dec 23, 2009 at 10:53:41AM +0100, Josep M. wrote: > > > I have designed my own scripts for curiosity, for test saslauthd and > > Postfix AUTH plain and login in both ports, and also test the ciphers in > > Postfix. > > Your curiousity exceeds your skill to interpret the results. > > > Always fail, in both ports 25 and 587: > > > > DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 > > RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 > > DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 > You forgot to specify "-ssl2" on the command-line, and got a v3 handshake > with a v2-only cipher-list. This does not happen in practice. >
Re: Doubts about ciphers in Postfix SOLVED
El mié, 23-12-2009 a las 07:47 -0500, Victor Duchovni escribió: > On Wed, Dec 23, 2009 at 10:53:41AM +0100, Josep M. wrote: > > > I have designed my own scripts for curiosity, for test saslauthd and > > Postfix AUTH plain and login in both ports, and also test the ciphers in > > Postfix. > > Your curiousity exceeds your skill to interpret the results. Other ciphers was running well with ssl2, this was the mistake. The error was in my scripts, now is solved:) Josep
Authentication in Postfix (for spam)
Hello. In lasts days one spammer had fun with my email address sending me hundresds of emails, most of them rejected by postfix anti-spam measures, but not all. I will explain the spammer send from internet (without authentication): from: websurfer at navegants.com to: websurfer at navegants.com I have saslauthd running ok, and noboby can send outside the network without auth (except localhost), butDo I need something for that one IP from internet can't send email "from me to me" without authentication? Thanks Josep smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,reject_unauth_pipelining, check_recipient_access hash:/etc/postfix/recipient_checks, check_helo_access hash:/etc/postfix/helo_checks, check_helo_access hash:/etc/postfix/access_helo check_sender_accesshash:/etc/postfix/sender_checks.domain, check_sender_accesshash:/etc/postfix/sender_checks.email, check_client_accesshash:/etc/postfix/client_checks, reject_unknown_sender_domain,reject_unknown_recipient_domain, reject_non_fqdn_sender ,reject_non_fqdn_recipient, reject_multi_recipient_bounce,reject_unlisted_recipient, reject_unverified_recipient,permit_sasl_authenticated , check_policy_service unix:private/policy check_policy_service inet:127.0.0.1:6 check_sender_access hash:/etc/postfix/verify_domain check_recipient_access hash:/etc/postfix/verify_user permit
Re: Authentication in Postfix (for spam) SOLVED
Hello. Thanks!...Your tip Works great! One question more: You said ".example.com" (with point) What is the differenceincludes subdomains? > > == sender_reject > example.com REJECT authentication required > .example.com REJECT authentication required > Thanks Josep El dom, 27-12-2009 a las 20:47 +0100, mouss escribió: > Josep M. a écrit : > > Hello. > > > > In lasts days one spammer had fun with my email address sending me > > hundresds of emails, most of them rejected by postfix anti-spam > > measures, but not all. > > > > I will explain the spammer send from internet (without authentication): > > > > from: websurfer at navegants.com > > to: websurfer at navegants.com > > > > I have saslauthd running ok, and noboby can send outside the network > > without auth (except localhost), butDo I need something for that one > > IP from internet can't send email "from me to me" without > > authentication? > > > > > > depends what ou mean by "from:" > > if it's the From: header, then there's nothing you can do. check the > mail you posted to the list and you'll see that it has your address in > the "From:" header. > > if you mean the envelope sender (MAIL FROM command), then you can do > different things. For example, > > smtpd_recipient_restrictions = > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > check_sender_access hash:/etc/postfix/restricted_sender > ... > > == sender_reject > example.com REJECT authentication required > .example.com REJECT authentication required > > > PS. Please put the check_sender_access AFTER reject_unauth_destination. > (sorry for shouting, but it's for your safety!). >
Delete port 465 in master.cf
Hello. I have Postfix running since some years ago and always ok, now when upgraded to Debian Lenny started giving to me these error messages when tested port 465 Nov 7 09:15:57 140 postfix/smtpd[26674]: fatal: bad boolean configuration: smtpd_tls_auth_only = Nov 7 09:15:58 140 postfix/master[11065]: warning: process /usr/lib/postfix/smtpd pid 26674 exit status 1 Nov 7 09:15:58 140 postfix/master[11065]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling I was reading that port 465 is not supported in new versions of Postfix, so I will use port 587 as I was doing, I would like ask if these line in master.cf config file can be deleted without broke nothing. I tested and apprently is ok. #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtp d_sasl_auth_enable=yes -o smtpd_tls_auth_only = yes -o smtpd_client_restrictions=permit_sasl_authen ticated,reject Thanks Josep
Verify_sender in log files
Hello. Time ago I was using this for see what addresses had "verify_sender" feature, is just for my own domain. egrep '(Address verification in progress)' /var/log/maillog But now postfix 2.5.5 don't display this in the log files, there is any parameter that I should add to postfix for have this? I added "-vv" in master.cf but nothing has changed. Thanks Josep
Re: Verify_sender in log files
Hello Wietse. Thanks, but the purpose of look what addresses had verify_sender was for add some of these addresses to my whitelists, this is what I was looking to do. Josep El jue, 27-11-2008 a las 12:33 -0500, Wietse Venema escribió: > Josep M.: > > Hello. > > > > Time ago I was using this for see what addresses had "verify_sender" > > feature, is just for my own domain. > > > > egrep '(Address verification in progress)' /var/log/maillog > > This REJECT message is logged only if it takes too long to find out > the address status. > > You will have more consistent results with > > egrep 'status=(un)?deliverable' /var/log/maillog > > Wietse
Re: Verify_sender in log files
Hello Wietse, Sure, but my question is: how can I check what sender addresses postfix has done the "verify_sender" option? This is what I would like have in logs and extract from logs. Thanks Josep El jue, 27-11-2008 a las 13:24 -0500, Wietse Venema escribió: > Josep M.: > > Time ago I was using this for see what addresses had "verify_sender" > > feature, is just for my own domain. > > > > egrep '(Address verification in progress)' /var/log/maillog > > Wietse: > > This REJECT message is logged only if it takes too long to find out > > the address status. > > > > You will have more consistent results with > > > > egrep 'status=(un)?deliverable' /var/log/maillog > > Josep M.: > > Thanks, but the purpose of look what addresses had verify_sender was for > > add some of these addresses to my whitelists, this is what I was looking > > to do. > > Your egrep pattern finds only the addresses that need more than > 6 seconds before the result is known. > > My egrep pattern does not have this problem. > > Wietse
